Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

fs0ciety [by subzer0x0]
We believe that there is an SSH Password inside password protected ‘ZIP’ folder. Can you crack the ‘ZIP’ folder and get the SSH password?

The challenge

We start of by downloading the fs0ciety.zip file and verifying it’s sha256sum with the hash displayed on the challenge page.

$ sha256sum fs0ciety.zip 
1b117d42978f9a0f0e6460f654bca51da8dedaa82a1ef540cd6253f109632dc8  fs0ciety.zip

We then proceed to unzip this file using the password provided on the challenge page. This will give us – the very similarly named – fsociety.zip.

$ unzip fs0ciety.zip 
Archive:  fs0ciety.zip
[fs0ciety.zip] fsociety.zip password: 
  inflating: fsociety.zip

We check the contents of the zip file and notice that the file is password protected.

$ unzip -l fsociety.zip 
Archive:  fsociety.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
      729  2017-08-15 17:44   sshcreds_datacenter.txt
---------                     -------
      729                     1 file

$ unzip fsociety.zip 
Archive:  fsociety.zip
[fsociety.zip] sshcreds_datacenter.txt password: 
   skipping: sshcreds_datacenter.txt  incorrect password

Bruteforcing the zip password

First we create a hashfile of the zip which can then be fed to a password cracking tool, like john.

$ zip2john fsociety.zip > /tmp/encrypted.hash
ver 2.0 fs0ciety.zip/fsociety.zip PKZIP Encr: cmplen=335, decmplen=394, crc=1004499F
$ cat /tmp/encrypted.hash 
fsociety.zip/sshcreds_datacenter.txt:$pkzip2$1*1*2*0*c6*2d9*e126a116*0*35*8*c6*e126*8d9c*ee49af82113993a8062a3e309f126a6735d8fe7d6ca4382fdbd7aa6609b64411a43072212235835bb746967be74f4ea33014b695fe648799add3880671ae20caf3f854d73d6040dbb57f66db7328761e0cbecb85d5df465d4d4eabfee1fdbef6d9bbe2b6d86bc5bbdb2a30694181b7ec709c803022a7993fdca9234ebbabe54ec1dc118e49eff1faba92abd1eabcb1381d24139807604343caa2cf18359e3b7a594ed25d48805941deccf728f04fa4937a949c0c335344028a3f60eb74fc495e50f58ff8ad81*$/pkzip2$:sshcreds_datacenter.txt:fsociety.zip::fsociety.zip

We then proceed to cracking/bruteforcing the password using this hash file.

$ john /tmp/encrypted.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 7 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
justdoit         (fsociety.zip/sshcreds_datacenter.txt)
1g 0:00:00:00 DONE 2/3 (2019-08-22 15:58) 8.333g/s 398941p/s 398941c/s 398941C/s 123456..ferrises
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using the freshly discovered password justdoit we can now unzip fsociety.zip.

Decoding the SSH password

The content of the text file doesn’t look like a password. However, it does look very similar to a Base64 encoded string.

$ cat sshcreds_datacenter.txt 
*****************************************************************************************
Encrypted SSH credentials to access Blume ctOS : 

MDExMDEwMDEgMDExMDAxMTAgMDEwMTExMTEgMDExMTEwMDEgMDAxMTAwMDAgMDExMTAxMDEgMDEwMTExMTEgMDExMDAwMTEgMDEwMDAwMDAgMDExMDExMTAgMDEwMTExMTEgMDAxMDAxMDAgMDExMDExMDEgMDAxMTAwMTEgMDExMDExMDAgMDExMDExMDAgMDEwMTExMTEgMDExMTAxMTEgMDExMDEwMDAgMDEwMDAwMDAgMDExMTAxMDAgMDEwMTExMTEgMDExMTAxMDAgMDExMDEwMDAgMDAxMTAwMTEgMDEwMTExMTEgMDExMTAwMTAgMDAxMTAwMDAgMDExMDAwMTEgMDExMDEwMTEgMDEwMTExMTEgMDExMDEwMDEgMDExMTAwMTEgMDEwMTExMTEgMDExMDAwMTEgMDAxMTAwMDAgMDAxMTAwMDAgMDExMDEwMTEgMDExMDEwMDEgMDExMDExMTAgMDExMDAxMTE=

*****************************************************************************************

Base64 decoding the string, returns us a bunch of 1’s and 0’s, i.e. something that appears to be a blob of binary data.

$ echo "MDExMDEwMDEgMDExMDAxMTAgMDEwMTExMTEgMDExMTEwMDEgMDAxMTAwMDAgMDExMTAxMDEgMDEwMTExMTEgMDExMDAwMTEgMDEwMDAwMDAgMDExMDExMTAgMDEwMTExMTEgMDAxMDAxMDAgMDExMDExMDEgMDAxMTAwMTEgMDExMDExMDAgMDExMDExMDAgMDEwMTExMTEgMDExMTAxMTEgMDExMDEwMDAgMDEwMDAwMDAgMDExMTAxMDAgMDEwMTExMTEgMDExMTAxMDAgMDExMDEwMDAgMDAxMTAwMTEgMDEwMTExMTEgMDExMTAwMTAgMDAxMTAwMDAgMDExMDAwMTEgMDExMDEwMTEgMDEwMTExMTEgMDExMDEwMDEgMDExMTAwMTEgMDEwMTExMTEgMDExMDAwMTEgMDAxMTAwMDAgMDAxMTAwMDAgMDExMDEwMTEgMDExMDEwMDEgMDExMDExMTAgMDExMDAxMTE=" | base64 -d -
01101001 01100110 01011111 01111001 00110000 01110101 01011111 01100011 01000000 01101110 01011111 00100100 01101101 00110011 01101100 01101100 01011111 01110111 01101000 01000000 01110100 01011111 01110100 01101000 00110011 01011111 01110010 00110000 01100011 01101011 01011111 01101001 01110011 01011111 01100011 00110000 00110000 01101011 01101001 01101110 01100111

We feed this data into a binary to text decoder (e.g. https://cryptii.com/pipes/binary-decoder) to retrieve the SSH password.

if_y0u_c@n_$m3ll_wh@t_th3_r0ck_is_c00king

Note that HackTheBox has a certain syntax for flags, so you need to adjust this password to fit the flag requirements.

HTB{if_y0u_c@n_$m3ll_wh@t_th3_r0ck_is_c00king}